Let's say I request a page such as:
/admin/index.php?module=user/groups&action=add
and find that my admin session has expired so I need to log in again. After submitting the login form, MyBB complains that I didn't "enter a title for this new user group" even though I never tried to add a new user group. :p The problem is that the ACP modules might see the login POST request as a request intended for them.
I noticed that myself. It only checks if there is a POST request not what kind of POST request it is.
Yeh, I noticed this to recently. Not exactly sure how we could fix it
Since logging in can't pass post request methods anyway I guess just making sure it's forced to get afterward would work
$db->insert_query("adminsessions", $admin_session);
my_setcookie("adminsid", $sid);
$post_verify = false;
Add after
$mybb->request_method = "get";
Anybody have a better solution?
What about
if($mybb->request_method == 'post' && $mybb->input['do'] != 'login')
Although you would have to change it in all the modules.
Yeh, That's what I'm trying to avoid
Your solution sounds the most logical I think, Ryan.
Do a redirect back to the page instead of parsing/loading it internally?
(2008-08-19, 11:04 AM)Chris Boulton Wrote: [ -> ]Do a redirect back to the page instead of parsing/loading it internally?
huh?
(2008-08-18, 03:31 PM)Ryan Gordon Wrote: [ -> ]$mybb->request_method = "get";
That seems like kind of a hack, but I guess it's fine... /admin/index.php already does the same thing when your anti-CSRF token doesn't match up.
Thank you for your bug report.
This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.